I recently clustered a pair of Fortigate 240Ds in an Active/Active configuration and wanted to uplink the Fortigate firewalls to my Cisco 3750-Xs using a pair of 4 port LACP/Port Trunks. Now given that this would be cross vendor LAG I thought I’d document the settings required in order for the Fortigate to bring up the link successfully.
Ok, lets start with the Fortigate:
Configuration is very simple, and Fortinet have kindly made this easier in the later versions of FortiOS giving you a drop down which allows you to select ‘802.3AD Aggregate’ as your chosen interface type. After setting that, you can simply add in the ports you’d like to bond.
Now on to the Cisco 3750-Xs:
I’ll be carrying multple VLANs across my LAG so my config may be slightly different to yours, but here goes.
First, create your Port-Channels on the switch:
interface Port-channel2
description FW1-FGT-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
!interface Port-channel3
description FW1-FGT-Bottom
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
!
Now configure your ports, and add them to the channels:
interface GigabitEthernet1/0/1
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet1/0/2
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet1/0/3
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 3 mode active
!
interface GigabitEthernet1/0/4
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree bpdufilter enable
spanning-tree bpduguard enable
channel-group 3 mode active
!
interface GigabitEthernet2/0/1
description FW1-P1-Top
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet2/0/2
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 2 mode active
!
interface GigabitEthernet2/0/3
description FW1-P1-Bottom
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 3 mode active
!
interface GigabitEthernet2/0/4
description FW1-P1-Bottom
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 200,201,202,203
switchport mode trunk
storm-control broadcast level 20.00
storm-control multicast level 20.00
storm-control action shutdown
storm-control action trap
spanning-tree portfast
spanning-tree bpduguard enable
channel-group 3 mode active
!
The key config for the port channel / LAG to come up is ensure that the ‘channel-group’ mode is ‘active’, this ensures that the channel is using LACP, aka 802.3AD.
Check your link has come up on the Fortigate
and then Cisco end via, ‘show interfaces port-channel x’.
